When should GHSA IDs be added as aliases?

[EliahKagan]

GitHub hosts two kinds of security advisories with associated GHSA IDs:

• Entries in the GitHub Advisory Database ("global GHSA")
• Repository-local advisories, in a repository's Security tab

A repository-local advisory can be imported into the GitHub Advisory database. When this happens, they have the same GHSA ID. This situation is very common.

Sometimes a RUSTSEC advisory is requested when there is a GHSA ID but only a repository-local advisory. Usually this is because there will be a global advisory (i.e. an advisory in the GitHub Advisory Database) with that GHSA ID but it is not there yet.

At least in principle, that might not happen. For example, a repo-local advisory is occasionally created for a vulnerability that already has an existing global GHSA imported from elsewhere, or documents a condition that is covered by multiple global GHSAs, or multiple local GHSAs cover conditions that are covered as a single global GHSA. Occasionally a local GHSA may also exist, and the repository-local advisory published, for a something that is ineligible for a global GHSA.

I've noticed that GHSA alias in the RUSTSEC Advisory Database are rendered as hyperlinks to global GHSA entries. In addition, the only documentation I've found for when GHSA IDs should be added as aliases is:

advisory-db/CONTRIBUTING.md

Lines 24 to 26 in ffa2670

	Alternatively, you can create a GitHub Security Advisory (GHSA) and let them request
	a CVE for you. In this case, you can add the GHSA ID to the RustSec advisory via the
	`aliases` field.

Taken together with the way GHSA IDs linkify in RUSTSEC advisories, I had taken this to mean that a GHSA ID should only be added as an alias once it refers to an existing entry in the GitHub Advisory Database. But I've noticed that this was not really good reasoning on my part, because when a repository-local advisory is created and a CVE is requested in it, that CVE is often assigned earlier than there is an entry in the GitHub Advisory Database. CVEs are often assigned before anything is published, while entries in the GitHub Advisory Database tend to appear in the range of hours to days after the repository-local advisory is published.

Should RUSTSEC advisories for vulnerabilities with GHSA IDs used by existing, published repository-local advisories, have those GHSA IDs listed as aliases...

1. Regardless of whether there is or will be an entry in the GitHub Advisory Database?
2. When there either is or is expected to be an entry in the GitHub Advisory Database?
3. Only when the GHSA ID already refers to an entry in the GitHub Advisory Database?

I noticed that the approach I've been taking, (3), might not be the best one, when I was recently waiting to add it the GHSA as an alias for a vulnerability that I was already primarily referring to by that GHSA ID.

Please note that this question is not the same as whether the local GHSA should be linked explicitly in an advisory. I believe a repository-local GHSA for a vulnerability that has a RUSTSEC advisory should always be listed as the url or in references in that RUSTSEC advisory, whether or not the GHSA ID also identifies an entry in the GitHub Advisory Database. This question is specifically about when it should be listed in aliases.